Skip to content

bugzilla
bugzilla
You need to sign in or sign up before continuing.
Switch branch/tag
Find file
BlameHistoryPermalink
Cookie.pm 4.72 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 
# This Source Code Form is subject to the terms of the Mozilla Public
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
#
# This Source Code Form is "Incompatible With Secondary Licenses", as
# defined by the Mozilla Public License, v. 2.0.

package Bugzilla::Auth::Login::Cookie;

use 5.10.1;
use strict;
use warnings;

use base qw(Bugzilla::Auth::Login);
use fields qw(_login_token);

use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Token;
use Bugzilla::Util;

use List::Util qw(first);

use constant requires_persistence  => 0;
use constant requires_verification => 0;
use constant can_login             => 0;

sub is_automatic { return $_[0]->login_token ? 0 : 1; }

# Note that Cookie never consults the Verifier, it always assumes
# it has a valid DB account or it fails.
sub get_login_info {
  my ($self) = @_;
  my $cgi    = Bugzilla->cgi;
  my $dbh    = Bugzilla->dbh;
  my ($user_id, $login_cookie);

  if (!Bugzilla->request_cache->{auth_no_automatic_login}) {
    $login_cookie = $cgi->cookie("Bugzilla_logincookie");
    $user_id      = $cgi->cookie("Bugzilla_login");

    # If cookies cannot be found, this could mean that they haven't
    # been made available yet. In this case, look at Bugzilla_cookie_list.
    unless ($login_cookie) {
      my $cookie = first { $_->name eq 'Bugzilla_logincookie' }
      @{$cgi->{'Bugzilla_cookie_list'}};
      $login_cookie = $cookie->value if $cookie;
    }
    unless ($user_id) {
      my $cookie = first { $_->name eq 'Bugzilla_login' }
      @{$cgi->{'Bugzilla_cookie_list'}};
      $user_id = $cookie->value if $cookie;
    }

    # If the call is for a web service, and an api token is provided, check
    # it is valid.
    if (i_am_webservice() && Bugzilla->input_params->{Bugzilla_api_token}) {
      my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
      my ($token_user_id, undef, undef, $token_type)
        = Bugzilla::Token::GetTokenData($api_token);
      if ( !defined $token_type
        || $token_type ne 'api_token'
        || $user_id != $token_user_id)
      {
        ThrowUserError('auth_invalid_token', {token => $api_token});
      }
    }
  }

  # If no cookies were provided, we also look for a login token
  # passed in the parameters of a webservice
  my $token = $self->login_token;
  if ($token && (!$login_cookie || !$user_id)) {
    ($user_id, $login_cookie) = ($token->{'user_id'}, $token->{'login_token'});
  }

  my $ip_addr = remote_ip();

  if ($login_cookie && $user_id) {

    # Anything goes for these params - they're just strings which
    # we're going to verify against the db
    trick_taint($ip_addr);
    trick_taint($login_cookie);
    detaint_natural($user_id);

    my $db_cookie = $dbh->selectrow_array(
      'SELECT cookie
                                   FROM logincookies
                                  WHERE cookie = ?
                                        AND userid = ?
                                        AND (ipaddr = ? OR ipaddr IS NULL)', undef,
      ($login_cookie, $user_id, $ip_addr)
    );

    # If the cookie or token is valid, return a valid username.
    # If they were not valid and we are using a webservice, then
    # throw an error notifying the client.
    if (defined $db_cookie && $login_cookie eq $db_cookie) {

      # If we logged in successfully, then update the lastused
      # time on the login cookie
      $dbh->do(
        "UPDATE logincookies SET lastused = NOW() 
                       WHERE cookie = ?", undef, $login_cookie
      );
      return {user_id => $user_id};
    }
    elsif (i_am_webservice()) {
      ThrowUserError('invalid_cookies_or_token');
    }
  }

  # Either the cookie or token is invalid and we are not authenticating
  # via a webservice, or we did not receive a cookie or token. We don't
  # want to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to
  # actually throw an error when it gets a bad cookie or token. It should just
  # look like there was no cookie or token to begin with.
  return {failure => AUTH_NODATA};
}

sub login_token {
  my ($self)     = @_;
  my $input      = Bugzilla->input_params;
  my $usage_mode = Bugzilla->usage_mode;

  return $self->{'_login_token'} if exists $self->{'_login_token'};

  if (!i_am_webservice()) {
    return $self->{'_login_token'} = undef;
  }

  # Check if a token was passed in via requests for WebServices
  my $token = trim(delete $input->{'Bugzilla_token'});
  return $self->{'_login_token'} = undef if !$token;

  my ($user_id, $login_token) = split('-', $token, 2);
  if (!detaint_natural($user_id) || !$login_token) {
    return $self->{'_login_token'} = undef;
  }

  return $self->{'_login_token'}
    = {user_id => $user_id, login_token => $login_token};
}

1;